Revert "Enable a system PKCS #11 token."
This reverts commit 0398d33e3041ffafee8468f551af9926acc28a8a.
This change is suspected in network_VPNConnect failures
BUG=chromium:339743
Change-Id: If1c340282e0dd3eb3fe41f7651483894c8e9efd2
Reviewed-on: https://chromium-review.googlesource.com/184482
Reviewed-by: Richard Barnette <jrbarnette@chromium.org>
Tested-by: Richard Barnette <jrbarnette@chromium.org>
diff --git a/chapsd.conf b/chapsd.conf
index d2e8143..5b7934f 100644
--- a/chapsd.conf
+++ b/chapsd.conf
@@ -20,7 +20,5 @@
VERBOSE="--v=1"
rm /home/chronos/.chaps_debug_1
fi
- mkdir -p /var/lib/chaps
- chown chaps:chronos-access /var/lib/chaps
exec chapsd ${VERBOSE}
end script
diff --git a/p11_replay.cc b/p11_replay.cc
index 339ff85..97afaeb 100644
--- a/p11_replay.cc
+++ b/p11_replay.cc
@@ -60,6 +60,7 @@
LOG(INFO) << "No slots.";
exit(-1);
}
+ LOG(INFO) << "Choosing slot " << slot_list[0];
return slot_list[0];
}
@@ -385,28 +386,10 @@
CreateCertificate(session, object_data, object_id, certificate);
X509_free(certificate);
} else if (type == kPrivateKey) {
- // Try decoding a PKCS#1 RSAPrivateKey structure.
RSA* rsa = d2i_RSAPrivateKey(NULL, &data_start, object_data.length());
if (!rsa) {
- // Rewind the ptr just in case it was modified.
- data_start = reinterpret_cast<const unsigned char*>(object_data.c_str());
- // Try decoding a PKCS#8 structure.
- PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL,
- &data_start,
- object_data.length());
- if (!p8 || ASN1_TYPE_get(p8->pkey) != V_ASN1_OCTET_STRING) {
- LOG(ERROR) << "OpenSSL error in PKCS #8 private key parsing.";
- exit(-1);
- }
- // See if we have a RSAPrivateKey in the PKCS#8 structure.
- data_start = p8->pkey->value.octet_string->data;
- rsa = d2i_RSAPrivateKey(NULL, &data_start,
- p8->pkey->value.octet_string->length);
- PKCS8_PRIV_KEY_INFO_free(p8);
- if (!rsa) {
- LOG(ERROR) << "OpenSSL error in RSA private key parsing.";
- exit(-1);
- }
+ LOG(ERROR) << "OpenSSL error in RSA private key parsing.";
+ exit(-1);
}
CreatePrivateKey(session, object_id, "testing_key", rsa);
RSA_free(rsa);
@@ -482,7 +465,7 @@
}
void PrintHelp() {
- printf("Usage: p11_replay [--slot=<slot>] [COMMAND]\n");
+ printf("Usage: p11_replay [COMMAND]\n");
printf("Commands:\n");
printf(" --cleanup : Deletes all test keys.\n");
printf(" --generate [--label=<key_label> --key_size=<size_in_bits>]"
@@ -491,8 +474,8 @@
"useful for comparing key generation on different TPM models.\n");
printf(" --import --path=<path to file> --type=<cert, privkey, pubkey>"
" --id=<token id str>"
- " : Reads an object into the token. Accepts DER formatted X.509"
- " certificates and DER formatted PKCS#1 or PKCS#8 private keys.\n");
+ " : Reads an object into the token. Accepts DER formatted"
+ " certificates and DER formatted private keys.\n");
printf(" --inject [--label=<key_label> --key_size=<size_in_bits>]"
" : Locally generates a key pair suitable for replay tests and injects"
" it into the token.\n");
@@ -609,11 +592,6 @@
chromeos::InitLog(chromeos::kLogToSyslog | chromeos::kLogToStderr);
base::TimeTicks start_ticks = base::TimeTicks::Now();
CK_SLOT_ID slot = Initialize();
- int tmp_slot = 0;
- if (cl->HasSwitch("slot") &&
- base::StringToInt(cl->GetSwitchValueASCII("slot"), &tmp_slot))
- slot = tmp_slot;
- LOG(INFO) << "Using slot " << slot;
CK_SESSION_HANDLE session = OpenSession(slot);
PrintTicks(&start_ticks);
string label = "_default";
diff --git a/slot_manager_impl.cc b/slot_manager_impl.cc
index d6df63b..faa7d07 100644
--- a/slot_manager_impl.cc
+++ b/slot_manager_impl.cc
@@ -14,7 +14,6 @@
#include <base/basictypes.h>
#include <base/file_path.h>
-#include <base/file_util.h>
#include <base/logging.h>
#include <base/memory/scoped_ptr.h>
#include <chromeos/secure_blob.h>
@@ -47,10 +46,6 @@
const CK_ULONG kMaxPinLen = 127;
const CK_ULONG kMinPinLen = 6;
const char kSlotDescription[] = "TPM Slot";
-const FilePath::CharType kSystemTokenPath[] =
- FILE_PATH_LITERAL("/var/lib/chaps");
-const char kSystemTokenAuthData[] = "000000";
-const char kSystemTokenLabel[] = "System TPM Token";
const char kTokenLabel[] = "User-Specific TPM Token";
const char kTokenModel[] = "";
const char kTokenSerialNumber[] = "Not Available";
@@ -294,29 +289,15 @@
LOG(WARNING) << "TPM failed to generate random data.";
}
- // Add default isolate.
+ // Add default isolate
AddIsolate(IsolateCredentialManager::GetDefaultIsolateCredential());
- // By default we'll start with two slots. This allows for one 'system' slot
+ // Default semantics are to always start with two slots. One 'system' slot
// which always has a token available, and one 'user' slot which will have no
// token until a login event is received.
- AddSlots(2);
-
- if (file_util::DirectoryExists(FilePath(kSystemTokenPath))) {
- // Setup the system token.
- int system_slot_id = 0;
- if (!LoadToken(IsolateCredentialManager::GetDefaultIsolateCredential(),
- FilePath(kSystemTokenPath),
- SecureBlob(kSystemTokenAuthData),
- kSystemTokenLabel,
- &system_slot_id)) {
- LOG(ERROR) << "Failed to load the system token.";
- return false;
- }
- } else {
- LOG(WARNING) << "System token not loaded because " << kSystemTokenPath
- << " does not exist.";
- }
+ // TODO(dkrahn): Make this 2 once we're ready to enable the system token.
+ // crosbug.com/27759.
+ AddSlots(1);
return true;
}
diff --git a/slot_manager_test.cc b/slot_manager_test.cc
index 0d066da..2da601b 100644
--- a/slot_manager_test.cc
+++ b/slot_manager_test.cc
@@ -209,7 +209,7 @@
}
TEST_F(TestSlotManager, DefaultSlotSetup) {
- EXPECT_EQ(2, slot_manager_->GetSlotCount());
+ EXPECT_EQ(1, slot_manager_->GetSlotCount());
EXPECT_FALSE(slot_manager_->IsTokenAccessible(ic_, 0));
}
@@ -304,6 +304,7 @@
kTokenLabel,
&slot_id2));
EXPECT_EQ(slot_id, slot_id2);
+ EXPECT_EQ(2, slot_manager_->GetSlotCount());
EXPECT_TRUE(slot_manager_->LoadToken(ic_,
FilePath("another_path"),
MakeBlob(kAuthData),
@@ -316,6 +317,7 @@
slot_manager_->ChangeTokenAuthData(FilePath("yet_another_path"),
MakeBlob(kAuthData),
MakeBlob(kNewAuthData));
+ EXPECT_LT(slot_manager_->GetSlotCount(), 5);
// Logout with an unknown path.
slot_manager_->UnloadToken(ic_, FilePath("still_yet_another_path"));
slot_manager_->UnloadToken(ic_, FilePath("some_path"));
@@ -444,6 +446,7 @@
MakeBlob(kAuthData),
kTokenLabel,
&slot_id));
+ EXPECT_EQ(1, slot_manager_->GetSlotCount());
EXPECT_TRUE(slot_manager_->OpenIsolate(&new_isolate_1, &new_isolate_created));
EXPECT_TRUE(new_isolate_created);
@@ -452,6 +455,7 @@
MakeBlob(kAuthData),
kTokenLabel,
&slot_id));
+ EXPECT_EQ(2, slot_manager_->GetSlotCount());
// Ensure tokens are only accessible with the valid isolate cred.
EXPECT_TRUE(slot_manager_->IsTokenAccessible(new_isolate_0, 0));
